Date: Sun, 25 Jul 2004 23:01:06 GMT From: Timothy Radigan <tradigan@newrevolutions.net> To: freebsd-gnats-submit@FreeBSD.org Subject: misc/69596: When logging in or su'ing to root, I noticed that if you type the correct password but add characters to the end of the correct password, the password still passes validation and allows you to login Message-ID: <200407252301.i6PN16AH063934@www.freebsd.org> Resent-Message-ID: <200407252310.i6PNAFwX036242@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 69596 >Category: misc >Synopsis: When logging in or su'ing to root, I noticed that if you type the correct password but add characters to the end of the correct password, the password still passes validation and allows you to login >Confidential: no >Severity: serious >Priority: high >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Sun Jul 25 23:10:15 GMT 2004 >Closed-Date: >Last-Modified: >Originator: Timothy Radigan >Release: 5.1 >Organization: New Revolutions >Environment: FreeBSD nr-fbsd-01.newrevolutions.net 5.1-RELEASE-p16 FreeBSD 5.1-RELEASE-p16 #2: Sat May 15 14:35:21 EDT 2004 radigan@nr-fbsd-01.newrevolutions.net:/usr/obj/usr/src/sus/nr-fbsd-01 i386 >Description: When logging into my FreeBSD server, I logged on as my regular user and typed the password correctly but added a few extra characters after I entered my password. Suprisingly, the machine let me in. I tried to log in with a completely wrong password and it denied access. This problem also occurs when su'ing to root. I type su, then type the password (correctly) and add extra characters on the end and it granted me root access. >How-To-Repeat: Log in using an account, type the correct password and a few extra characters after the correct password and try to log in. You will be validated and access is granted. >Fix: >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200407252301.i6PN16AH063934>